On Wed, Nov 20, 2019 at 03:38:10PM +0100, Jiri Olsa wrote:
>
> The only info really needed from BPF side is the globally unique
> prog ID where then audit user space tooling can query / dump all
> info needed about the specific BPF program right upon load event
> and enrich the record, thus these changes needed here can be kept
> small and non-intrusive to the core.
...
> +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> +{
> + bool has_task_context = event == BPF_EVENT_LOAD;
> + struct audit_buffer *ab;
> +
> + if (audit_enabled == AUDIT_OFF)
> + return;
> + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> + if (unlikely(!ab))
> + return;
> + if (has_task_context)
> + audit_log_task(ab);
> + audit_log_format(ab, "%sprog-id=%u event=%s",
> + has_task_context ? " " : "",
> + prog->aux->id, bpf_event_audit_str[event]);
> + audit_log_end(ab);
Single prog ID is enough for perf_event based framework to track everything
about the programs and should be enough for audit.
Could you please resend as proper patch with explicit 'From:' ?
Since I'm not sure what is the proper authorship of the patch.. Daniel's or yours.
